System, method and computer readable medium for determining users of an internet service

ABSTRACT

An internet service provider (ISP) is configured to analyze data sent by a user to determine a subscriber account associated with the data and a user associated with the data. A database is then queried to determine the number of users of the subscriber account, with a number above a threshold indicating a likely theft of service. This automatic process is accompanied by automated messaging to the user with information as to the measures taken and remedial options. The messaging may be different dependent on whether the user is deemed to be an authorized user having subscriber account administration rights.

CROSS REFERENCE TO RELATED APPLICATIONS

The present patent application is a continuation of U.S. patentapplication Ser. No. 12/004,635, filed Dec. 24, 2007, titled “SYSTEM,METHOD AND COMPUTER READABLE MEDIUM FOR DETERMINING USERS OF AN INTERNETSERVICE”, now issued U.S. Pat. No. 8,856,314, issued on Oct. 7, 2014,which claims the benefit of provisional patent application No.60/877,500, filed 28 Dec. 2006, titled “ABUSE SENTRY, AUDIT SENTRY,AUTHENTICATION ICON” the entire contents of each are incorporated byreference herein.

FIELD OF THE INVENTION

This disclosure relates to managing subscribers of an internet serviceprovider (ISP) and in particular to determining the number of separateuser browsing workstations utilizing a single subscriber's internetservice. The disclosure has particular application for preventing theftof service from either the ISP and/or the subscriber but it is notintended that the disclosure be limited thereto.

BACKGROUND OF THE INVENTION

Most broadband Internet Service Providers, ISPs, supply access to theirInternet access network through the use of a Cable modem, DSL modem, orWireless modem. The majority of subscribers to these services typicallyutilize a router incorporating Network Address Translation (NAT) as afirewall and also as a means to permit multiple personal computers (PC)sin the residence to utilize simultaneous access to the Internet.

Many of the routers are wireless routers permitting residential PCs toaccess the Internet through either a wired or wireless (Wi-Fi)connection to the router.

The ISP can utilize existing network devices that can observe theactivity occurring at the subscriber modem at the Internet Protocol (IP)level. However, according to Internet Protocol and the design of NATrouters, the activity observed at the modem appears to originate at asingle IP device, the NAT router, and evidence of the number of realworkstations that are active behind the NAT router, and even cascadedNAT routers, is hidden.

ISPs typically have Terms of Service and agreements in the contractswith the subscriber that prohibits the subscriber from extending theInternet access beyond the boundaries of the residential premises.However, inexpensive, off-the-shelf NAT routers can be interconnectedand cascaded by simple wired and wireless connections in an arbitrarytree-and-branch topology that provides full, unhindered Internet accessto all participants. This simple extensibility, the very high speeds nowoffered by ISPs, and the easily-hidden installation of theinterconnections make it difficult to detect where servicere-distribution is occurring. In addition, the widely used Wi-Fiwireless routers are frequently installed with the default configurationthat provides free, unhindered access to all within the umbrella of thesignal, often extending throughout an entire multi-tenant building orbuildings. Problems with this situation include theft-of-serviceresulting in lost revenue to the ISP as well as dissatisfied subscriberswhose performance is being compromised by unknown parasitic userscausing support problems.

What is required, is a system, method and computer readable medium thatis capable of determining the presence of multiple users on a singlesubscriber account.

SUMMARY OF THE INVENTION

In one embodiment of the disclosure, there is provided a method ofdetermining a number of users on a subscriber account comprisingreceiving data; determining a subscriber account associated with saiddata; determining a user associated with said data; and associating saiduser with said subscriber account.

In one embodiment of the disclosure, there is provided a networkcomprising at least one internet service provider that provides aninternet connection for one or more subscriber accounts; and at leastone data processing system comprising at least one database; and atleast one query engine that executes one or more queries on said atleast one database; wherein said data processing system receives datareceived by said at least one internet service provider from said one ormore subscriber accounts; wherein said query engine executes a firstquery on said at least one database to determine a subscriber accountidentity associated with said data; wherein said data processing systemdetermines a user associated with said data; and wherein said dataprocessing system associates said user with said subscriber identity insaid at least one database.

In one embodiment of the disclosure, there is provided an internetservice provider comprising at least one router; and a packet processingengine; wherein said at least one router routes one or more data packetsreceived by said packet processing engine from a user; wherein saidpacket processing engine determines if said one or more data packets areassociated with a subscriber account having a number of associated usersabove a threshold number of users; and wherein said internet serviceprovider redirects a URL page request from said user if said one or moredata packets are associated with a subscriber account having a number ofassociated users above said threshold number of users.

In one embodiment of the disclosure, there is provided a method ofoperating an internet service provider comprising receiving one or moreURL page requests into the internet service provider from a subscriberaccount; determining a number of users associated with said subscriberaccount; and redirecting said URL page requests if said number of usersis greater than a threshold number of users.

In one embodiment of the disclosure, there is provided a computerreadable medium comprising instructions for receiving data from asubscriber account; determining a number of users associated with saidsubscriber account; performing a comparison of said number of users witha threshold; and taking an action with said data dependent on an outcomeof said comparison.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will now be described, by way of example only, withreference to specific embodiments and to the accompanying drawings inwhich:

FIG. 1 schematically illustrates a network in accordance with anembodiment of the disclosure;

FIG. 2 represents a method for determining a number of users associatedwith a subscriber account of an ISP;

FIG. 3 represents a method for redirecting URL page requests dependingon a number of users of an ISP subscriber account;

FIG. 4 schematically illustrates providing a notification to a user;

FIG. 5 represents a processor executing an instruction set fordetermining an excess user condition;

FIG. 6 represents a network providing a plurality of workstationsconnected to a wireless router; and

FIG. 7 represents an alternative network configuration.

DETAILED DESCRIPTION OF THE INVENTION

In the Applicant's earlier patent applications, U.S. Ser. No. 10/023,674and U.S. Ser. No. 10/623,893, the entire contents of which areexplicitly incorporated herein by reference, the present Applicantsdescribed networks in which communications could be provided from an ISPto a subscriber of the ISP. In the referenced applications, aredirection device was placed in the path of upstream traffic from thesubscriber. The redirection device, operating under the control of aconsolidating and management device elsewhere in the network, processedupstream data packets to determine when targeted communications to thesubscriber were required.

The present embodiments utilize many of the features and functionalitiesof the networks described in the Applicant's earlier patent applicationsreferenced above. In FIG. 1, there is shown a system or network 10 inaccordance with an embodiment of the disclosure. In the network 10, anISP 12 provides a link between a subscriber device 14 and the internet16. For the sake of clarity, in the following embodiments the subscriberdevice 14 will be referred to specifically as a personal computer, orPC. However, it will be readily understood by the person skilled in theart that the subscriber device 14 may be any internet enabled devicesuch as a personal computer (PC), laptop, palm device, mobile telephone,gaming console and the like, and all such internet enabled devices areto be considered equivalent.

The network 10 includes at least one redirection device 21 that isplaced at the path of upstream traffic 15 from the subscriber 14, eitherin the path or in a position to monitor the path. As described in theabove referenced earlier applications, the redirection device 21 may beplaced at many points within the network 10 and is preferably placed atan edge of the network that represents the last scaleable point in theoperator's network. In one embodiment, the redirection device 21 isplaced within the ISP 12. The term redirection device is used herein inorder to provide consistency with the Applicant's earlier patentapplications referenced above. The person skilled in the art willunderstand from the foregoing description that in the context of thepresent disclosure, the redirection device may not perform a redirectionfunction in all embodiments.

The network 10 also includes a consolidating and management device 26,for example of the type as described in the Applicant's earlierapplications referenced above. The consolidating and management device26 is operatively associated with the redirection device 21 to form adata processing system, and more particularly a packet processingsystem, as will be described in greater detail below.

The ISP 12 includes a router or switch 22, a redirection device 21 asdescribed above and an address provisioning database 23. The addressprovisioning database 23 stores associations between subscriber accountsof the ISP and IP addresses allocated to the subscribers. A seconddatabase 24 stores associations between subscriber accounts of the ISPand users of the subscriber accounts, as will be described below. Theconsolidating and management device 26 provides a query engine foraccessing data from the databases 23, 24 in response to requests fromthe redirection device 21.

While two databases 23, 24 are illustrated and described herein forclarity, the person skilled in the art will readily understand that thetwo databases 23, 24 can be consolidated into a single database or thatthe two databases can be divided into a higher number of databases. Forexample, the databases 23, 24 may be consolidated with a database forstoring an association between a subscriber and an electronic mailsending profile of the subscriber, as described in the Applicant'sapplication Ser. No. 12/004,634, now issued U.S. Pat. No. 8,700,715, theentire contents of which are herein incorporated by reference.Alternatively or in addition, the databases 23, 24 may be consolidatedwith a database for storing an association between a subscriber and ashared secret as described in the Applicant's application Ser. No.12/004,645, now issued U.S. Pat. No. 8,161,284, the entire contents ofwhich are herein incorporated by reference.

Downstream traffic from the internet 16, indicated by path 28 is routedby the router 22 to the intended subscriber 14. Upstream traffic in theform of data packets 27 follow the path 15 from the subscriber 14 to berouted by the router 22 to the redirection device 21, thence back to therouter 22 and onto the internet 16. In an alternative embodiment shownin FIG. 7, upstream traffic 15 passes directly through the Internetprovider with the addition of a “mirror port” or “tap” allowing theredirector, 21, to monitor the upstream traffic.

The operation of the system 10 will now be described with reference toFIG. 1 and to the flowchart 100 illustrated in FIG. 2. At step 101, datais received from the subscriber 14 and a subscriber account associatedwith the data message is identified at step 102. The system 10 thendetermines a user associated with the data message (step 103) andassociates the user with the subscriber account (step 104).

In one embodiment, the method steps described above are performed withinthe ISP as illustrated in the flowchart 200 of FIG. 3. At step 201, datapackets 27, such as URL page requests, originating at the subscriber arereceived in the ISP 12 and provided to the router 22. The router 22passes selected packets to the redirection device 21 for processing. Inone embodiment, the router passes packets derived from implanted cookiesas will be described below.

The redirection device 21 first analyzes the data packet 27 to retrievean IP address of the data packet 27. The redirection device 21 forwardsthe IP address to the consolidation and management device 26, whichexecutes a first query on the address provisioning database 23 toretrieve a subscriber account identity associated with the IP address.The redirection device 21 then retrieves a user identity from the datapacket 27 and logs an association between the user identity and thesubscriber account in the database 24.

At the time of logging the user association, or at some other time, theconsolidation and management device 26 executes a second query on thesubscriber/user association database 24 to perform a count of the numberof users associated with the subscriber account to determine ifadditional action is required (step 202). If the count is withinallowable limits, then no additional action is required at the time oflogging the user association, and the data packet is re-routed back tothe router 22 where it continues to be processed by the ISP as usual.However, if the user count is outside allowable limits, then the ISP maytake appropriate action, such as redirecting the URL page request (step203).

The ISP 12 may be configured to take different actions based on thecount of users. In one embodiment, a threshold number of users may beset, either by the ISP or by an authorized user of the subscriberaccount using a web based form when initializing the subscriber account.When a new user attempts to communicate with the ISP, the redirectiondevice may determine that the addition of the new user to the subscriberaccount will exceed the allowed user threshold and thus the ISP mayre-direct the new user to notification pages indicating an excess countof users. Other methods for automatically blocking networkcommunications to the new user may be apparent to the person skilled inthe art and are considered equivalent. Blocking access to anillegitimate user will prevent the user from illegally accessing thenetwork, as desired. However, if the new user is a legitimate user, thatuser will takes steps to remedy the situation with the ISP, which mayuncover other, illegitimate, users of the subscriber account.

In one embodiment, the consolidation and management device 26 mayperiodically execute a count query on the user association database 24.Whenever a count of users associated with a subscriber account exceedsan allowed threshold, a notification may be sent to an authorized userof the subscriber account indicating the count status and suggestingremedies to fix the problem. A message may be sent through any suitablemedium such as by an e-mail to an e-mail address registered with thesubscriber account.

In an alternative embodiment, a web-browser message may be sent to auser of a subscriber account using the techniques described in theApplicant's earlier applications referenced above. For example, withreference to FIG. 4, when a user association count exceeds an allowedthreshold, a flag may be set in a policy database 38 that identifies thesubscriber account as requiring notification of the count. When theredirection device 21 receives a web page request, the redirectiondevice 21 processes the request to determine the IP address. Theredirection device 21 then checks, via the consolidating and managementdevice 26 whether a notification is pending for the current subscriberaccount associated with the IP address. If a notification is pending,the redirection device 21 provides to the subscriber an HTML redirectionto destination server 39 that combines the destination URL in the pagerequest and the URL for the message into a new page redirection for thesubscriber's browser to fetch. In one embodiment, in addition to therequested page content 42, the new page 40 includes a banner orsimilarly visible message that indicates to the user 14 that thesubscriber account has an excess number of users. The banner message 41may indicate a possible cause, such as an unencrypted wireless link, aswell as a hyperlink 44 to a downloadable facility for remedying theproblem. The downloadable facility and/or the banner message 41 mayinclude a reset facility for resetting the user count on the subscriberaccount once the problem has been acknowledged and verified by anauthorized user of the subscriber account. In one embodiment, the newpage 40 may include an authentication code that verifies theauthenticity of the count notification to the subscriber. In oneembodiment, the authentication code may be a shared secret, for exampleas described in the Applicant's application Ser. No. 12/004,645, nowissued U.S. Pat. No. 8,161,284, referenced above.

In one embodiment, the user identity is retrieved by first placing ahidden browser cookie incorporating a unique, logged, identifyingnumber, possibly generated randomly and possibly other information suchas time and date, with the user through the issuance of an associatedbulletin message with no visibility to the user. Techniques for placingthe cookie are described in the Applicant's earlier patent applicationsreferenced above. Upon later browser activity, the cookie is retrievedto identify each separate browser. Data derived from the retrievedcookie can be used to uniquely identify the user as separate from otherusers detected at the account. The cookie may be placed and retrieved atvarying intervals to optimize the accuracy of the count of usersassociated with a subscriber account or to observe the flux ofcontinuously different transient users as may occur in an insecure Wi-Finetwork accessible from a public area.

In one embodiment, the user identity may be derived from internetbrowser requests by observing and determining a user “fingerprint” ofeach browser on an account through the discrimination between hostheaders propagated by the users' browsers to any accessed internet site.This header includes identification of the users' operating system andversion, browser and version, and the suite of plug-ins available withinthat browser configuration. The user fingerprint may be associated withthe subscriber identity and stored in the database 24 or may be hashedin order to allow enumerating of separate users but to assure userprivacy in the logs.

In one embodiment, the redirection device processes the data packets todetermine a Media Access Control (MAC) address of the network-facing IPdevice on the account, most frequently a NAT router. The MAC addressesare assigned to manufacturers and most frequently can identify thelikely vendor of a wireless router used on the account. Associating MACaddresses of the routers and other devices that interface with the ISPwith the subscriber accounts can aid in identifying where theft ofservice is occurring, as these devices are typically fixed for aparticular subscriber account.

The consolidation and management device 26 may periodically execute aquery on the database that determines the most recent activity of theusers associated with the subscriber account. If an associated user hasnot had any activity within a predetermined timeframe, for example onemonth, then the consolidating and management device 26 updates thedatabase 24 by removing the inactive user, thereby reducing the count ofusers associated with the subscriber account. In one embodiment, theinactive user is only removed from the count, for example by resettingan ACTIVE status flag, rather than deleting the user from the subscriberaccount, so that any user fingerprint is maintained on the database andcan be reestablished if that user again becomes active. The indicationof a continual flux of new users with others becoming inactive canindicate an instance of a publically-available Wi-Fi associated with theaccount even though the absolute count at any point in time may not bevery high.

The user association database may indicate one or more users of asubscriber account as authorized users. For example, a defaultauthorized user fingerprint may be derived from a user that firstregisters the subscriber account with the ISP. The registering user isthe most likely authentic user. Other authorized users may be nominated,for example through a web based form. An authorized user may be a userwith subscriber account administration rights and is thereforeauthorized to undertake remedial actions. In one embodiment, the displayof the notification may require the provision of a shared secret, forexample as described in the Applicant's application Ser. No. 12/004,645,now issued U.S. Pat. No. 8,161,284, referenced above. The requirementfor a shared secret ensures that warning notifications are only providedto authorized users of the subscriber account.

In one embodiment depicted in FIG. 5, the ISP 12 includes at least oneprocessor 51 operatively associated with at least one memory 52. Thememory 52 stores an instruction set 500 executable on the processor 51.Executing the instructions causes the processor 51 to receive data froma subscriber account (501). The processor 51 then determines a number ofusers associated with the subscriber account (502) and compares thenumber of users with a threshold (503). The processor 51 then determinesan action to be taken depending upon an outcome of the comparison (504).In one embodiment, the action taken may be any of the actions describedpreviously.

In FIG. 6, there is illustrated a network 70 in which a premises 60includes four workstations 61, 62, 63, 64 connected to the ISP 12 via awireless router 65. Of the four workstations, workstation 61 isconsidered to relate to an authorized user of the subscriber account. Anadditional workstation 66 is outside of the premises 60 but within thenetwork coverage provided by the router 65. In an example of the systemsdescribed above, an allowed threshold of four users may be associatedwith the subscriber account. When the fifth user at unauthorizedworkstation 66 connects to the ISP 12 through the wireless router 65,redirection device 21 associates the fifth user with the subscriberaccount in the database 24 and determines that the allowed threshold isexceeded. The user's requested web pages may include a notification thatthe allowed user count has been exceeded or a request to contact theInternet Provider may be preferable to protect the privacy of theaccount holder. Other users 62, 63, 64 will also received similarnotifications and redirections when URL page requests are made. Thenotifications and redirections will continue, either with every pagerequest or periodically, until action to remedy the high user count istaken and the count is reset. In addition, when workstation 61 connectsto the ISP, web page requests are interpreted by the user associationdatabase 24 as originating from the authorized user of the subscriberaccount and thus the web page requests are redirected to incorporate alink to downloadable remedial and count reset facility.

The presently described embodiments demonstrate mechanisms that automatethe identification of likely accounts where intended or unintended theftof service is occurring and provides remedial actions through automatedcommunications to the identified subscriber workstations. Thecommunication can continue to encourage the subscriber to “lock down”their wireless network with authentication passwords and encryption bymeans of simple instructions or even a “click-to-fix” link to adownloadable automated facility that will do it for them. Thecommunications can also dissuade intentional theft of service byproviding a display of a message that demonstrates that the ISP is awareof the large number of users on the account.

An advantage of the embodiments herein described include that subscriberaccount violations can be rapidly detected using network devices thatare relatively simple to install within the ISP and do not require allnetwork traffic to pass through them. In particular, the redirectiondevice 21 requires only read-only access to the data packets that itprocesses both for enumerating the number of users as well ascommunicating back to the users that there is a problem. A furtheradvantage is that the embodiments may be implemented without updatesbeing required to subscriber hardware or software and thus are instantlyapplicable across all subscribers to the ISP.

While one redirection device is shown within the ISP, the person skilledin the art will readily understand that any number of redirectionsdevices may be provided for processing upstream data packets. Inparticular, separate redirection devices may be provided for separatechannels within the ISP. Typically, a single consolidating andmanagement device can be used to manage a plurality of redirectionsdevices and to execute the queries to the databases. However, the personskilled in the art will readily understand that a plurality ofconsolidating and management devices may be employed.

While a single ISP has been described and illustrated, the personskilled in the art will readily understand that a plurality of ISPs maybe provided that utilize a common data processing system or that eachhave an associated data processing system as described above.

Although embodiments of the present invention have been illustrated inthe accompanied drawings and described in the foregoing description, itwill be understood that the invention is not limited to the embodimentsdisclosed, but is capable of numerous rearrangements, modifications, andsubstitutions without departing from the spirit of the invention as setforth and defined by the following claims. For example, the capabilitiesof the invention can be performed fully and/or partially by one or moreof the blocks, modules, processors or memories. Also, these capabilitiesmay be performed in the current manner or in a distributed manner andon, or via, any device able to provide and/or receive information.Further, although depicted in a particular manner, various modules orblocks may be repositioned without departing from the scope of thecurrent invention. Still further, although depicted in a particularmanner, a greater or lesser number of modules and connections can beutilized with the present invention in order to accomplish the presentinvention, to provide additional known features to the presentinvention, and/or to make the present invention more efficient. Also,the information sent between various modules can be sent between themodules via at least one of a data network, the Internet, an InternetProtocol network, a wireless source, and a wired source and viaplurality of protocols.

What is claimed is:
 1. A method, comprising: receiving a URL pagerequest from a user of a user device operating an internet browser;determining a subscriber account associated with said URL page requestby executing a first query on at least one database; identifying a userfingerprint associated with the user, the user fingerprint comprisinguser identity information derived from header information transmittedfrom the user's internet browser to at least one accessed internet site;associating the user fingerprint with the user's identity and thesubscriber account; executing a second query on said at least onedatabase to determine a number of users associated with the subscriberaccount and to determine whether the number of associated users areabove a threshold number of users; if the subscriber account has anumber of associated users above the threshold number of users, thenredirecting the URL page request received from the user to anotification page which indicates to the user that the number of usersis above the threshold number of users, and wherein at least one userassociated with said subscriber account is an authorized user; anddetermining if said URL page request is received from said authorizeduser, wherein a URL page to which the user is redirected is dependent onwhether said user from which said URL page request is received is theauthorized user.
 2. The method according to claim 1 wherein determininga subscriber account comprises determining an IP address provided insaid URL page request, and retrieving said subscriber account from atleast one database using said IP address.
 3. The method according toclaim 1 wherein associating said user with said subscriber accountcomprises storing an association between said user and said subscriberaccount in at least one database.
 4. The method according to claim 3further comprising enumerating a number of users associated with saidsubscriber account.
 5. The method according to claim 4 whereinenumerating a number of users comprises counting a number of usersassociated with said subscriber account in said at least one database.6. The method according to claim 1 wherein the header informationcomprises at least one of an identification of the user's operatingsystem and version, the user's browser and version.
 7. The methodaccording to claim 1 wherein the header information comprises a suite ofplug-ins available within the user's browser configuration.
 8. Themethod according to claim 1 wherein said notification comprises ahyperlink to a downloadable remedial facility.
 9. The method accordingto claim 1 wherein said URL page comprises a hyperlink to a count resetfacility.
 10. The method according to claim 9 wherein said count resetfacility that resets a number of users associated with said subscriberaccount.
 11. The method according to claim 1 further comprising storingsaid user fingerprint in at least one database.
 12. The method accordingto claim 1 further comprising determining a user associated with saidURL page request.
 13. The method according to claim 12 whereindetermining a user associated with said URL page request comprisesprocessing cookie data derived from a cookie of a user web browser. 14.The method according to claim 13 wherein said cookie data uniquelyidentifies said user web browser.
 15. The method according to claim 13further comprising providing said cookie to said user.
 16. A system,comprising: at least one internet service provider server that providesan internet connection for one or more subscriber accounts; and at leastone data processing apparatus comprising: at least one database andcorresponding memory; and at least one query engine processor thatexecutes one or more queries on said at least one database; wherein saiddata processing system receives a URL page request from a user of a userdevice operating an internet browser, which is received by said at leastone internet service provider from said one or more subscriber accounts;wherein said query engine processor executes a first query on said atleast one database to determine a subscriber account identity associatedwith said URL page request; wherein said data processing systemidentifies a user fingerprint associated with a user, the userfingerprint comprising user identity information derived from headerinformation transmitted from the user's internet browser to at least oneaccessed internet site; associating the user fingerprint with the user'sidentity and the subscriber account; and wherein said query engineprocessor executes a second query on said at least one database todetermine a number of users associated with the subscriber accountidentity and to determine whether the number of associated users areabove a threshold number of users; if the subscriber account has anumber of associated users above the threshold number of users, thenredirecting the URL page request received from the user to anotification page which indicates to the user that the number of usersis above the threshold number of users, and wherein at least one userassociated with said subscriber account is an authorized user; anddetermining if said URL page request is received from said authorizeduser, wherein a URL page to which the user is redirected is dependent onwhether said user from which said URL page request is received is theauthorized user.
 17. The system of claim 16, wherein said dataprocessing system determines a user associated with said data.
 18. Thesystem of claim 16, wherein the header information comprises at leastone of an identification of the user's operating system and version, theuser's browser and version, and a suite of plug-ins available within theuser's browser configuration.
 19. A system, comprising: at least onerouter apparatus; and a packet processing engine; wherein said at leastone router routes one or more data packets received by said internetservice provider from a user of a user device operating an internetbrowser to said packet processing engine; wherein said packet processingengine determines if said one or more data packets are associated with asubscriber account by executing a first query on at least one database,and wherein said packet processing engine identifies a user fingerprintassociated with the user, the user fingerprint comprising user identityinformation derived from header information transmitted from the user'sinternet browser to at least one accessed internet site, and associatesthe user fingerprint with the user's identity and the subscriberaccount; and wherein said packet processing engine determines a numberof users associated with the subscriber account by executing a secondquery on the at least one database and determines whether the number ofassociated users are above a threshold number of users; wherein saidinternet service provider redirects a URL page request from said user toa notification page which indicates to the user that the number of useris above the threshold number of users if said one or more data packetsare associated with a subscriber account having a number of associatedusers above said threshold number of users, and wherein at least oneuser associated with said subscriber account is an authorized user; andwherein said internet service provider determines if said URL pagerequest is received from said authorized user, wherein a URL page towhich the user is redirected is dependent on whether said user fromwhich said URL page request is received is the authorized user.
 20. Thesystem according to claim 19 wherein said router routes data packetsderived from a cookie of a user browser to said packet processingengine, said data packets derived from said cookie uniquely identifyinga user.
 21. The system according to claim 19 further comprising: a queryengine wherein said packet processing engine: retrieves an IP addressprovided in said one or more data packets; utilizes said query engine toretrieve a subscriber identity associated with said IP address from saidat least one database; utilizes said query engine to retrieve a numberof users associated with said subscriber identity from said at least onedatabase; compares said number of users with said threshold number ofusers.
 22. A method, comprising: receiving one or more URL page requestsinto the internet service provider from a user of a user deviceoperating an internet browser associated with a subscriber account;determining a subscriber account associated with said one or more URLpage requests by executing a first query on at least one database;identifying a user fingerprint associated with the user, the userfingerprint comprising user identity information derived from headerinformation transmitted from the user's internet browser to at least oneaccessed internet site; associating the user fingerprint with the user'sidentity and the subscriber account; executing a second query on said atleast one database to determine a number of users associated with thesubscriber account and to determine whether the number of associatedusers are above a threshold number of users; redirecting said URL pagerequests to a notification page which indicates to the user that thenumber of users is above the threshold number of users if said number ofusers is greater than a threshold number of users, and wherein at leastone user associated with said subscriber account is an authorized user;and determining if said URL page request is received from saidauthorized user, wherein a URL page to which the user is redirected isdependent on whether said user from which said URL page request isreceived is the authorized user.
 23. The method according to claim 22wherein determining a number of users associated with a subscriberaccount comprises determining a subscriber account identity from saidone or more URL page requests and executing a query on at least onedatabase using said subscriber account identity.
 24. A non-transitorycomputer readable storage medium configured to store instructions thatwhen executed cause a processor to perform: receiving a URL page requestfrom a user of a user device operating an internet browser associatedwith a subscriber account; determining a subscriber account associatedwith said URL page request by executing a first query on at least onedatabase; identifying a user fingerprint associated with the user, theuser fingerprint comprising user identity information derived fromheader information transmitted from the user's internet browser to atleast one accessed internet site; associating the user fingerprint withthe user's identity and the subscriber account; executing a second queryon said at least one database to determine a number of users associatedwith the subscriber account and to determine whether the number ofassociated users are above a threshold number of users; if thesubscriber account has a number of associated users above the thresholdnumber of users, then redirecting the URL page request received from theuser to a notification page which indicates to the user that the numberof users is above the threshold number of users, and wherein at leastone user associated with said subscriber account is an authorized user;and determining if said URL page request is received from saidauthorized user, wherein a URL page to which the user is redirected isdependent on whether said user from which said URL page request isreceived is the authorized user.
 25. The non-transitory computerreadable storage medium of claim 24, wherein the header informationcomprises at least one of an identification of the user's operatingsystem and version, the user's browser and version, and a suite ofplug-ins available within the user's browser configuration.